Mint.com Initial Review

Mint.com, a new free personal finance management site, is easy to get started, though we’re not sure we’re completely satisfied with where we end up.

To begin, just enter in the user names and passwords for your online banking accounts. The site is easily understood and instantly navigable.

It synced effortlessly with all our accounts, loading all our transactions in under a minute. Within minutes, we were looking at pie charts of our spending habits broken down by type and shown over time. Neat.

What would really take this service up a notch is if it allowed you to transfer funds between accounts. I would love to be able to pay off credit card from my checking out by only logging into one website.

One drawback is that because my bank doesn’t communicate who the merchant was on a paper check, a good number of my bill payment transactions fall outside Mint’s system.

Our credit card APR was incorrectly listed as 0%, and then told us we could save a grand by switching to Capital One. No thanks.

Lastly, many have raised questions privacy and security concerns, including the insecurity of handing over your banking and account passwords to a third party, as well as the technical method for how Mint executes transactions. If these thoughts make you squeamish, check out Mint’s security practices.

Overall, Mint seems like a great way to get a quick snapshot of your overall personal finances. For people with multiple credit cards and no experience with setting up a budget, it could be quite a boon. But for us, the lack of bank to bank transfers, no detailed recording of check-based transactions, and the lack of interface with brokerage accounts, means we won’t be giving up our simple, powerful, and infinitely customizable personal excel sheet budget for Mint.com anytime soon.

Comments

Edit Your Comment

For some reason I don’t find myself comfortable entering all my banking and information into one website. The state of online security just isn’t that good, no matter what these guys might be doing. It’s a single point of failure.

I’m gonna join the pile-on, here. How long have we heard, from both security experts and financial providers, that you should never give your login details to anyone? And now, you expect us to hand over all of it to a site we’ve never even heard of?

Don’t forget that Mint cannot store your login info in a truly secure fashion, because they need to be able to provide that information to your financial sites. If anyone manages to get into Mint’s database (which, as anyone reading this site should know, is far from impossible), that person will have full access to all of your finances.

I was only marginally impressed. The interface with all my banks was mediocre; the transactions were not always grouped/categorized the way I want them. Additionally, getting it to recognize your bank can be a challenge.

I’ve yet to successfully ad my Chase credit card to this thing. My AmTrust Direct savings account only sporadically works with this thing.

It always recommends services that are actually worse than what I have.

Actually; to make it worse Mint isn’t even the one holding your bank info, they use Yodlee, a third party, to access your account information. They can tell you how secure you are over and over again, but I’m sure TJMaxx, the VA and many others also thought they were secure…

I stopped reading after, “Just enter in the user names and passwords for your online banking accounts”. There is no way it can be a good idea to enter all this information on some new service that may or may not have bullet proof security and probably won’t even exist anymore in a few months.

I find this review, and other mentions of Mint on the Consumerist and Lifehacker (both Gawker-run blogs), very suspicious.

Both have given favorable reviews or mentions of this product while completely ignoring the glaring security risk that providing ALL YOUR BANKING INFORMATION to Mint imposes.

What gives?

Lifehacker in particular has also posted entries about a competing service, Wesabe, in which they describe their skepticism about its security. However, Wesabe does not store any of your financial credentials on its servers, opting to store all your login information locally.

Why would Lifehacker express skepticism about Wesabe’s security, but endorse a competing service who most definitely posing a greater security risk?

C’mon Ben, you’re kidding right? This is normally the sort of thing that Consumerist would relish calling bullshit on. No sensible person would hand over passwords to an unknown, much less a savvy Consumerist reader. These glowing comments are suspect… Is it too bold to suggest there’s a little back-scratching going on?

Just fyi. Mint actually uses a service called Yodlee. There’s been a lot of contraversy in the backwing of forums and blogosphere due to the fact that Yodlee doesn’t partnerships with all the institutions (they used “many” but not the word “all”) and they use web scraping.

Anyone that knows anything about coding knows that web scraping is not only a lousy method to pull information that should be performed through an API, but it’s unsafe and from one bank that I looked at, was actually allowing that service to perform transactions as yourself (no protection from fraud).

I would seriously be careful of using a service that doesn’t have current partnerships with banks and credit card companies due to this fact. It’s scary enough for ID theft, but now I have to trust a third party to not screw over my accounts? Thanks, but no thanks.

wow… I am really surprised they would even ask you to do that. It seems like a lawsuit waiting to happen. Sure they may use SSL to transfer your data and it may be encrypted on their server… how long does it take somone to break the encryption? Not long. I mean just look at wep, 128bit encryption broken in 10 min. That is sad.

I should probably add here that if it turns out even Consumerist is not above doling out favorable marks for friends, or a price, or whatever, that will spell doom so ironic it will be worthy of a Darwin award.

i tried it out last time you guys wrote a story about it. personally, i think it sucks. 1) there’s no way to manually enter an account & transactions, so if your bank’s not listed (or you don’t feel comfortable entering your login info), you’re screwed. 2) no support for retirement accounts (meaning your budget is incomplete). 3) somehow, it merged info from multiple accounts, so a withdrawal from one account was credited to an improper account – i have no idea how this happened other than the amounts were the same. 4) multiple cc aprs were listed incorrectly (not that i care, but it skews their deal info).

neat idea & definitely a cool interface, but overall it doesn’t really help me get the “whole picture” b/c of the problems i had. any idea on how to “cancel your account”, b/c evidently there’s no way to do that either.

I have no qualms about using an aggregator like this… but Yodlee is soooooo much better. It’s not even close. Mint does not have as many account and is just not sufficiently robust. Yodlee has its problems but it is far superior. Security is not really a problem as long as you access your accounts from a private place and use common sense. Yes it’s breakable… but so is the front door to my house and my windows are made of a very weak material called “glass”… look it’s great to be safe but lets not be paranoid. Things like Yodlee help more than hurt. I’ve been using Yodlee for 7 years without a problem.

I tried Mint out, and my problem with it is how it handles ATM fees. For my Chase debit card when I use it at a non-network ATM and get hit with a $3 fee, Mint records the total amount Debit + Fee as a “bank charge”. So I have all these warnings about teh $83 in bank charges on my accounts.

With the closure last month of Yahoo’s online BillPay service I find myself without a usable electronic payment site. My Credit Union will let me make payments without charging, but the user interface is about 10 years out of date. Alternatively, my other bank will let make payments for free because I’m a ‘Platinum’ customer, but I worry that at some point I may want to pull money out to get a higher rate and I will be back in this situation again.

Anyone know of a free, reliable online bill payment system – it pretty much only has to allow free payments to VISA and AMEX accounts – that will work with my Credit Union? I had hoped MINT would fit the bill, but apparently it does not.

@AlexPDL: “Security is not really a problem as long as you access your accounts from a private place and use common sense. Yes it’s breakable… but so is the front door to my house…”

There’s a couple of problems with your lines of thinking, here.

1) Accessing your accounts from a “private place” has nothing to do with it. Mint/Yodlee store your full login info on their servers. The attacker could be anywhere in the world, and doesn’t even need to target you specifically, in order to get your login info. Once he has that login info, he can do anything he wants to your accounts.

2) The front door to your house requires a suspicious person to walk up to and physically break it, creating all sorts of noise and physical evidence. Breaking into Mint/Yodlee takes a hacker anywhere in the world with nothing more than the motivation and a little time. Or maybe just a misplaced backup.

So in summary: An anonymous hacker from anywhere in the world can silently gain access to and control of all your personal finances, from anywhere in the world, without having to even know who you are. The only thing in their way? Mint/Yodlee’s security, which we do not know the details of, and may not even be notified if it’s ever broken. In the meantime, their servers/database are nothing but a huge bullseye to hackers, who have all the time in the world.

I’ved used a similar program, called mvelopes which i think is great. Of course it costs about $10 a month, but strangely,despite loving free things, when giving out such information as logins/passwords i feel safer giving it to a company i pay.

@Cy Guy: you might want to express your displeasure to the credit union – i would recommend a letter to the CEO/general manager & the board of directors. the great thing about credit unions is your ability as a member to affect change.

if the interface is as old as you say, they might be looking into alternatives & your input may help sway their decision. or, if you point out that their bill pay restricts your ability to bank with them, they might even pay you to use a fee-based service (i have a friend who negotiated reimbursement for using quicken’s bill pay b/c he’s a valued member at a cu that doesn’t offer bill pay).

@INDECISION: Under this line of logic then all e-commerce is unsafe. I admit to a certain degree it IS unsafe… like everything in life. As to notification… at least here in California, under state law they have to notify.

I know my accounts and I know the activity to expect on my accounts. I also know how much protection my financial providers give me for ID theft.

Everyone needs to do their own cost benefit analysis… but the costs are often overdone. It’s always fun to think that one has to key piece of information… ID theft, hacking, encryption protocols… it’s also fun to terrify family and friends with doomsday scenarios. The media and government love to terrify us. I was robbed once and I’ve had one credit card # stolen, even with GREAT care. Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful…not paranoid.

Never has it happened on-line. In the last 10 years it always happened in the 3 dimensional world. We must ALL be careful…not paranoid.

It’s never happened to YOU, but’s certinaly happened to 45,000,000+ TJ Maxx customers. This is more than 10% of the US population and does not include people who have been affected in other data loss incidents. In other words it DOES happen and it’s not uncommon.

There is not as much risk with a credit card. But if my online banking credentials were to be compromised, someone could actually clean me out. Even if the bank bailed me out in the long term (maybe they wouldn’t if they found out I disclosed the information to a third party), the short term consequences would be a nightmare. In this case there’s no such thing as too cautious.

Nope. E-commerce doesn’t rely on you placing all your eggs in one basket. Let’s say someone breaks into Amazon’s servers, and gets my login information. What can they do? They can maybe order some products (which I can easily contest), but that’s really it. They can’t access my checking account, my savings account, my MBNA account, my Chase account, my car loan account, or my retirement account. To get into all of that would mean targeting 6 different banks’ systems.

Mint offers a central point of failure. An attacker who breaks into Mint’s database suddenly has my login information for all of those accounts, and has them all at the same time. It’s now possible to wreak large amounts of havoc. It does no good to “know the activity to expect”, because the havoc can be wrought before you have a chance to see those patterns (or do you review your accounts hourly?). Likewise, it’s no comfort to know what sort of after-the-fact protections your bank has, because you’re still in the awful situation of having to use them.

“The media and government love to terrify us. I was robbed once and I’ve had one credit card # stolen, even with GREAT care. Never has it happened on-line.”

It has nothing to do with the media terrifying anyone. I work in IT. I’m far more aware of the inherent security risks than your average Joe would be. I don’t just know that it’s insecure, I know how insecure it is, and why.

Both of my credit unions now use 2-factor identification. MINT just asks for ID and password and doesn’t seem to handle 2-factor stuff. Not sure how it could since the 2-factor questions vary at each login. One requires to you select an image that is the same as one you chose when opening the account. Guess I’d rather have tight security than an easy way to see my accounts together.

I’ve been using Yodlee for a while now, and I find it invaluable in keeping track of our finances. It is far from perfect, and I was hoping that mint might be an improvement. Sounds like I’m better off sticking with Yodlee.

Yes, I worry about the security risk, but I worry more about forgetting to pay my bills on time.

@ericlakin: “Not sure how it could since the 2-factor questions vary at each login. One requires to you select an image that is the same as one you chose when opening the account.”

Here’s how they can: their back-end server “logs in” to your account, and your bank displays the collection of images to the Mint server, which displays them to you. You tell Mint which one is correct, and Mint relays the answer to your bank’s site. Your bank site lets Mint log in, and Mint saves the ‘correct’ image. Next time Mint wants your account info, it gets the array of pictures from your bank, compares them to the image it has saved, and picks the one that matches.

Incidentally, a phishing site can use the exact same method to make you think you’re logging into your bank’s actual site, with the added peace of mind of having the correct security image. That’s because your bank isn’t really using two-factor authentication. They’re using one-factor, just doing it twice.

See, there’s three ways of proving identity. Passwords, security questions, and these images are in the “something you know” category. The problem with “something you know” is that you can tell it to someone else (or they can trick it out of you), and now they know it too.

For true security, it needs to be paired with something from one of the other categories. One is “something you are” — biometrics. Generally this means a fingerprint, or for higher resistance against fakes, a retina scan. This is impractical for the home user, and so I don’t expect online banking to use it.

The obvious choice, then, is “something you have.” A physical object which must be provably in your possession in order to log in. This is easy. The most common is the little keyfobs that display random numbers on the press of a button. The idea (and it’s been proven to be true enough to trust) is that there are only two things that know what the next number will be: the server at your bank, and the device in your pocket.

So if someone else has your password, they can’t log in without the device. And if you lose the device, whoever finds it still can’t log in because they don’t have your password. Now that’s two-factor authentication.

@catita: thanks for the link. i’ve been looking for something like this for a LONG TIME. i was using pda money, but entering everything in on a handheld takes FOREVER & the full version ($30) syncs with money for the pc (another $30), but money clears everything automatically, which actually makes it harder for me to keep my accounts in check. call me old-fashioned, but i still like checking things off as they clear.

anyway, i’m checking it out now & it looks exactly like what i need. awesome!

No way would I ever give all of my credentials to a single person. I work in the IT field and know far too well how easy it is to steal info online. It is one thing to set up online account access with a bank, but this is a completely different beast. The reason:

When setting up a username/password on a banking/creditcard/etc website your password is put through a one-way hash which prevents it from being stolen and used else ware. The are able to do this because when you enter your password on the site, all it needs to do it run your entry through that same algorithms and if the output is the same, then you are let it. it doesn’t actually compare your password to a previous entry, it compares your password put through an algorithm and tests the output.

Mint.com can’t do this because it needs to first take your password, then retransmit it to the actual bank you are with. So even if it is does encrypt your password when you store it, there still has to be a key and function on the server to decrypt it. Which makes it much easier to steal. In addition to this, ALL of your passwords/usernames will be stored in the same place.

great concept, horrible execution. They would have been better off selling this as a stand alone application, but even that screams security problem to me because the typical home computer is about as insecure as park trashcan.

The site doesn’t work. I tried numerous times, over numerous days to set up the accounts and it always hung or canceled out immediately. The site is a piece of crap and doesn’t work, but it looks nice :)

eCommerce is insecure. It has gotten much better, but far from great. Not only is the technology imperfect, but the human element is the worst. I can’t tell you how many times I have been able to call into companies and have them give me account info for account I have no legal right to touch. I have done this with permission from the person who does own the account of course but still proves how stupid it is to have so much faith in companies.

I’m in my early 20 and have learned most of what I know about computers and security by exploring these vulnerabilities. Humans are too prone to be helpful so abusing that instinct is easy. Because of my ability to recognize these weaknesses I am good at my job (systems admin. I am able to train our staff to recognize these risks and prevent the exploitation of them and if need be I can get other companies to do things for me (like change account info when people for get it) quicker.

If mint ever gets really popular, I may have to set up a dummy account just to see if I can get into it once its locked down. Right now they are small enough (less than 9000 users) so it would be much tougher (id hope) but we will see.

If you think I’m kidding, try this test.

Log on to your companies website, look for the name of a high up executive. Create a Hotmail account with the users name. Use outlook to alter the “display name” that shows when you email. now email a bunch of people in your company and make up some story about trying update records and ask for basic info like Name/username/phone number.

You will get replies. (if you don’t, thats great)

Step two:

Pick a couple of them and email them back saying you are having some trouble with altering their account info and ask for their password so you can log in as them and do some trouble shooting. I bet in a medium sized company, with a convincing email you get a handful of responses before the IT admin puts the word out that its a bunch of crap.

For more fun, have your it Admin do it as a test so you don’t get fired.

Sounds like one stop shopping for total identity theft. Lots of comments on here fussing about hacking and security from the outside. Another concern is the disgruntled or careless employee intentionally or accidentally compromising security. I’d guess a devious pissed off ex employee could make quite a bit selling a huge database of banking and credit card login information. I too am surprised Consumerist isn’t dumping all over the very notion of providing some online startup with ALL you banking logins.

I said this the very first time I heard about Mint. The people who sit on the board are well-connected in the silicon valley VC community. They’ll keep getting good press and winning ad-hoc awards because of who they know.

Never underestimate the power of the Apple strategy: You can go to market with an inferior product, as long as people are fairly ignorant of their options, and you market your product properly.

Case in point? Yodlee has offered bank-to-bank transfers(the main thing Ben said he wanted) for over a year now. Ben didn’t know that because Yodlee doesn’t have VC friends who can ensure it gets to be a “tech darling”, whatever the hell that means.

I probably should shut up about Yodlee, though, because they probably won’t be able to keep it free if they get too big, and all the Mint people would just clog up the support queue, anyways.

I don’t see all the big fuss. Mint is secure; it says so right on the site. And it uses Yodlee, which says IT’S secure. So that’s two layers of security. My front door has only one layer.

The biggest problem seems to be that it (a) doesn’t work with every bank, and (b) it uses web scraping, which will break every time the bank updates its site.

So I have decided to jump into the ring and compete. Introducing: “Julep”.

I – I mean, Julep – will use manual web surfing, using the latest Internet Explorer 7.0. And I guarantee Julep will work with every single bank web site on the planet. In fact, Julep is even compatible with credit unions that don’t have a banking site; as long as they have a telephone number, Julep will work – work for your money.

And the second best part: It’s completely free. Why only second best? Because:

Julep works by e-mail. That’s right, no complicated “web browsers” or “protocols” to learn. Got a Blackberry? You can use Julep. Got a cell phone with SMS? Julep is for you. Let’s see Mint top THAT.

@Jay Levitt: i don’t think this julep is all it’s cracked up to be. i sent that email & i got a daemon error. or is “daemon error” just the name of the person responding to me? i confused. should i just post my info here?

One security flaw that is not called out well to the consumer is the fact that you are by default set up to receive a summary email. While the email does not contain account numbers, it does contains the names of the financial institutions and the current amounts in these accounts. Email is NOT a secure medium. You can turn this email notification off in preferences but due to the sensitive nature of this data I’m shocked that it was turned on by default. I’ve since canceled my mint.com account.